Azure Web 应用程序 - 如何使用委托和应用程序权限
[英]Azure Web Application - how to use both delegated and Application permissions
问题描述
Background Information.
背景信息。
I would like my ASP.NET web application to use the MS Identity platform to authenicate users... and allow them to see their own profile.我希望我的 ASP.NET web 应用程序使用 MS Identity 平台对用户进行身份验证......并允许他们查看自己的个人资料。 This part of my code is working.我的这部分代码正在工作。 I also have a function that allows the end user to pick an file from their local computer and upload to SP via upload session via MS Graph.我还有一个 function 允许最终用户从他们的本地计算机中选择一个文件并通过 MS Graph 上传 session 上传到 SP。 This is also currently working这也是目前工作
The security configuration I have under "API Permissions" for my Azure Application registration is as follows:我的 Azure 应用程序注册的“API 权限”下的安全配置如下:
- Sites.ReadWrite.All->Delegated Sites.ReadWrite.All->委托
- User.Read->Delegated User.Read->Delegated
But now I would like to have the application itself do the file upload.但现在我想让应用程序本身进行文件上传。 So I change the security settings to look like this:所以我将安全设置更改为如下所示:
- Sites.ReadWrite.All->Application Sites.ReadWrite.All->应用程序
- User.Read->Delegated User.Read->Delegated
When I try to upload, I get an access denied error message returned当我尝试上传时,我收到拒绝访问错误消息返回
I also added "Files.ReadWrite.All" for the application, but that didn't work either.我还为应用程序添加了“Files.ReadWrite.All”,但这也不起作用。 Can someone point me in the right direction?有人可以指出我正确的方向吗? Do i have to create a separate graphClient just for the application to the upload?我是否必须为要上传的应用程序创建一个单独的 graphClient?
EDIT 1编辑 1
I'm wondering if this is relevant:我想知道这是否相关:
https://docs.microsoft.com/en-us/answers/questions/354161/sitesselected-accessdenied-when-uploading-files.html https://docs.microsoft.com/en-us/answers/questions/354161/sitesselected-accessdenied-when-uploading-files.html
Does anyone know what the OP means when he says有谁知道他说的OP是什么意思
Our application is registered to have access at target site collection with permission role "WRITE"
Or maybe a better question is how do you do this?或者也许更好的问题是你是如何做到这一点的?
1 个解决方案
解决方案1
0 2021-11-29 09:30:28
After assign the application type api permission to your azure ad app, you need to use ClientCredentialFlow to generate the access token and used it to call the api.将应用程序类型 api 权限分配给您的 azure 广告应用程序后,您需要使用ClientCredentialFlow生成访问令牌并使用它来调用 api。
Then you can use the access token to send http request directly.然后您可以使用访问令牌直接发送 http 请求。 It's an division part so it should work in your scenario.这是一个部门的一部分,所以它应该在你的场景中工作。
using Azure.Identity;
using Microsoft.Identity.Client;
IConfidentialClientApplication app;
app = ConfidentialClientApplicationBuilder.Create("azure_ad_app_client_id")
.WithClientSecret("client_secret")
.WithAuthority(new Uri("https://login.microsoftonline.com/your_tanent_name.onmicrosoft.com"))
.Build();
AuthenticationResult result = null;
string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
result = await app.AcquireTokenForClient(scopes)
.ExecuteAsync();
string accesstoken = result.AccessToken;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.